[Freeipa-users] Add user -> custom script
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Sep 16 16:12:08 UTC 2011
On 09/16/2011 05:43 PM, Alexander Bokovoy wrote:
> On Fri, 16 Sep 2011, Sigbjorn Lie wrote:
>>>> We can't do it now. AFAIR there was a ticket about something like this
>>>> in the deferred bucket... Could not find it... But I remember a discussion.
>>>> We might need to file a ticket to track this but sound like something
>>>> that will take a lot of time to accomplish.
>>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf
>>> has following setting:
>>>
>>> ipa_user_script=/path/to/script
>>>
>>> then during add/delete/modify of an user, it will be called with
>>> add/del/mod as first parameter and user's dn as second. Result of
>>> the call is ignored but return from IPA server is blocked by the
>>> execution so be quick in ipa_user_script!
>> Excellent, thank you! I will try this!!
> Make sure you read what Simo wrote about deficiencies of this solution
> and in part that it runs under apache privileges. As you need to
> trigger action on a different host, it might be enough but still poses
> possible privilege escalation in your environment.
I sure do agree to that. :)
More information about the Freeipa-users
mailing list